Seems like a lot of activity already this year in the security world by way of high profile, already being exploited vulnerabilities. First the Adobe Flash and Acrobat/Reader fixes, then the Ruby on Rails exploit and now Oracle turning around a fast fix and Microsoft delivering an out-of-band patch for Internet Explorer.
Oracle has moved quickly to release a fix for the vulnerability (CVE-2013-0422) which as of last week was publicly known to be "weaponized" in widely available black market exploit kits. This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately. This fix also changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which is indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the *next* time a Java vulnerability is exploited in the wild.
Microsoft has released an out-of-band advisory and patch for Internet Explorer to address a vulnerability affecting versions 6, 7, & 8 (CVE-2012-4792). If Microsoft's security team is correct, this vulnerability is still seeing only limited exploitation in the wild, but there is no reason to hold off only releasing a fix now that the patch is ready. It's always a race between security teams and malware writers, in this case given the attention this vulnerability has received it likely will not be long before exploitation becomes widespread. Getting a fix out under these circumstances is like immunizing ahead of an outbreak that has already started.
Both of these issues will be covered in Nexpose 5.5.6.
It's been reported that the current Java patch fixes one of the two bugs being used in the public exploit packs (CVE-2012-3174), but not the more widely reported CVE-2013-0422. That means that this new fix will block the public exploits that are in the wild using this vector, however there is still an issue which could be exploited in combination with some other, yet-to-be-disclosed vulnerability, to gain root. That said, the change of default security settings in the Java browser plugin will help to mitigate against future exploitation. This may be an indication that Oracle had one patch ready and decided to stop the bleeding rather than wait for a complete fix, in that case we may see another Java patch in the near future. However, the January Oracle Cumulative Patch Update that is due tomorrow is not expected to include further Java fixes. The next Java CPU release is not scheduled until February 19, 2013, which is a long time to wait in the world of malware.
This begs the question, did Oracle claim to have fixed CVE-2013-0422 when they knew they had not? I mean, there is no ambiguity in that advisory, it says CVE-2013-0422 is fixed. If it isn't (as the very smart people who I am inclined to believe), at Immunity Sec have demonstrated, then did Oracle somehow not know this? Or did they just put something out there that stopped the exploit that they knew about and then stopped looking for the issue (as they have done in the past)? Or did they know this was an incomplete fix but they wanted to take the heat off? Either way, it's not impressive.